[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian/copyright format and SPDX

Hi Hideki,

Quoting Hideki Yamane (2023-09-08 08:39:09)
>  tl;dr: How about considering updating debian/copyright format to have
>         more compatibility with SPDX format
>  SBOM is expected to be used widely and several tools support it as a trend
>  now, since US government asks to use it. There are two formats for it,
>  Software Package Data Exchange (SPDX) and CycloneDX.
>  SPDX is led by the Linux foundation project, OpenChain for license
>  compliance. And CycloneDX is developed by the Open Web Application Security
>  Project (OWASP), so it is intended to use track vulnerabilities, IMO.
>  Well, as I said above, several tools support SPDX and CycloneDX now and
>  continue to be expanded, so I consider it'd be better if debian/copyright
>  has more compatibilities with them, especially SPDX. It would be easier
>  to handle debian/copyright data with tools that are outside of Debian.
>  Making appropriate debian/copyright file is hard and boring task, IMHO,
>  but if non-Debian people also can help it, it would be easier to fix it.

Only issue I am aware of is that SPDX shortname "MIT" equals Debian
shortname "Expat".  It sounds like you are referring to more and larger
incompatibilities than that.  Do you mean e.g. support for checksums of
files (which will blow up size and kill readability of the file)?

Perhaps as a start compile a list of incompatibilities on a wiki page -
or point to it if one already exists.  Then we can add pros and cons at
that page, as the discussion here progresses.

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: